Patch Now: ‘RediShell’ Threatens Cloud Via Redis RCE

Steven

Patch Now: ‘RediShell’ Threatens Cloud Via Redis RCE

Summary

Wiz Research has disclosed a critical remote code execution vulnerability in Redis (CVE-2025-49844), nicknamed “RediShell.” The flaw is a use-after-free memory corruption that lets an authenticated attacker send a malicious Lua script to escape the Lua sandbox and execute arbitrary native code on the Redis host. It carries a CVSS score of 10.0 and has existed in the codebase for more than a decade. Redis released a patch on 3 October 2025 after Wiz reported the issue in May and demonstrated it at #Pwn2Own 2025.

The exposure is large: Wiz says Redis is present in roughly 75% of cloud environments and more than 300,000 instances are currently reachable, including about 60,000 that require no authentication. Many deployments run Redis as container images without adequate hardening, increasing risk in cloud and multi-tenant setups.

Key Points

  • CVE-2025-49844 (RediShell) is a use-after-free RCE in Redis that escapes the Lua sandbox and allows arbitrary native code execution on the host.
  • Severity is maximum: CVSS 10.0 — full host takeover is possible (data exfiltration, encryption, lateral movement, malware/miners).
  • Wiz disclosed the bug; Redis published a security bulletin and patched the issue on 3 October 2025.
  • Over 300,000 Redis instances are exposed on the internet; ~60,000 require no authentication by default.
  • Containerised Redis deployments (about 57% of cloud installs) are often unhardended and represent a major attack surface.
  • Exploit chain is straightforward: send malicious Lua script, escape sandbox, gain arbitrary code execution, establish a reverse shell for persistence.
  • Immediate mitigations: apply the Redis patch, enable authentication (requirepass), restrict network access with firewalls/VPCs, disable Lua for untrusted users, monitor process/network behaviour, and isolate exposed nodes.
  • Organisations should prioritise Internet-exposed instances first, then internal instances that lack authentication; continuous asset discovery and safe exploit simulations are recommended.

Context and relevance

This matters because Redis is everywhere in modern cloud stacks — caches, session stores, message brokers — and a vulnerability that allows host-level code execution can domino into full cloud-account compromise. The combination of a decade-old bug, default-enabled Lua scripting, widespread container use, and many unauthenticated instances makes this both high-impact and high-probability for attackers.

Author style (Punchy): Treat this like a live incident. If you run Redis in any shape — VM, container, or managed service that exposes the Redis process to other workloads — prioritise patching and network controls now. The detail is important because a single unpatched instance can let attackers steal credentials and move laterally across cloud estates.

Why should I read this?

Short answer: if Redis is anywhere near your infrastructure, you need to act — now. This isn’t theoretical: the exploit is simple, the impact is complete takeover, and there are hundreds of thousands of reachable instances. Read this so you know what to patch, which instances to lock down first, and what quick mitigations to apply if you can’t patch immediately. We’ve done the legwork — go patch.

Source

Source: https://www.darkreading.com/cloud-security/patch-now-redishell-redis-rce